crackerjack 0.31.17__py3-none-any.whl → 0.32.0__py3-none-any.whl

crackerjack/core/workflow_orchestrator.py

@@ -40,6 +40,7 @@ class WorkflowPipeline:
         self.session = session
         self.phases = phases
         self._mcp_state_manager: t.Any = None
+        self._last_security_audit: t.Any = None  # Store security audit report
 
         self.logger = get_logger("crackerjack.pipeline")
         self._debugger = None
@@ -166,9 +167,15 @@ class WorkflowPipeline:
 
         # Code cleaning is now integrated into the quality phase
         # to run after fast hooks but before comprehensive hooks
-        if not await self._execute_quality_phase(options):
+        quality_success = await self._execute_quality_phase(options)
+        if not quality_success:
             success = False
-            return False
+            # Don't return early - continue to publishing/commit phases if requested
+            # This allows -p and -c flags to work even when quality checks fail
+            if not (options.publish or options.all or options.commit):
+                # Only exit early if no publishing/commit operations are requested
+                return False
+
         if not self.phases.run_publishing_phase(options):
             success = False
             self.session.fail_task("workflow", "Publishing failed")
@@ -239,15 +246,50 @@ class WorkflowPipeline:
         testing_passed: bool,
         comprehensive_passed: bool,
     ) -> bool:
-        if not testing_passed or not comprehensive_passed:
+        # Check security gates for publishing operations
+        publishing_requested, security_blocks = (
+            self._check_security_gates_for_publishing(options)
+        )
+
+        if publishing_requested and security_blocks:
+            # Try AI fixing for security issues, then re-check
+            security_fix_result = await self._handle_security_gate_failure(
+                options, allow_ai_fixing=True
+            )
+            if not security_fix_result:
+                return False
+            # If AI fixing resolved security issues, continue with normal flow
+
+        # Determine if we need AI fixing based on publishing requirements
+        needs_ai_fixing = self._determine_ai_fixing_needed(
+            testing_passed, comprehensive_passed, publishing_requested
+        )
+
+        if needs_ai_fixing:
             success = await self._run_ai_agent_fixing_phase(options)
             if self._should_debug():
                 self.debugger.log_iteration_end(iteration, success)
             return success
 
+        # Determine final success based on publishing requirements
+        final_success = self._determine_workflow_success(
+            testing_passed,
+            comprehensive_passed,
+            publishing_requested,
+            workflow_type="ai",
+        )
+
+        # Show security audit warning for partial success in publishing workflows
+        if (
+            publishing_requested
+            and final_success
+            and not (testing_passed and comprehensive_passed)
+        ):
+            self._show_security_audit_warning()
+
         if self._should_debug():
-            self.debugger.log_iteration_end(iteration, True)
-        return True
+            self.debugger.log_iteration_end(iteration, final_success)
+        return final_success
 
     def _handle_standard_workflow(
         self,
@@ -256,20 +298,38 @@ class WorkflowPipeline:
         testing_passed: bool,
         comprehensive_passed: bool,
     ) -> bool:
-        success = testing_passed and comprehensive_passed
+        # Check security gates for publishing operations
+        publishing_requested, security_blocks = (
+            self._check_security_gates_for_publishing(options)
+        )
 
-        if not success and getattr(options, "verbose", False):
+        if publishing_requested and security_blocks:
+            # Standard workflow cannot bypass security gates
+            return self._handle_security_gate_failure(options, allow_ai_fixing=False)
+
+        # Determine success based on publishing requirements
+        success = self._determine_workflow_success(
+            testing_passed,
+            comprehensive_passed,
+            publishing_requested,
+            workflow_type="standard",
+        )
+
+        # Show security audit warning for partial success in publishing workflows
+        if (
+            publishing_requested
+            and success
+            and not (testing_passed and comprehensive_passed)
+        ):
+            self._show_security_audit_warning()
+        elif publishing_requested and not success:
             self.console.print(
-                f"[yellow]⚠️ Workflow stopped-testing_passed: {testing_passed}, comprehensive_passed: {comprehensive_passed}[/ yellow]"
+                "[red]❌ Both tests and comprehensive hooks failed - cannot proceed to publishing[/red]"
             )
-            if not testing_passed:
-                self.console.print(
-                    "[yellow] → Tests reported failure despite appearing successful[/ yellow]"
-                )
-            if not comprehensive_passed:
-                self.console.print(
-                    "[yellow] → Comprehensive hooks reported failure despite appearing successful[/ yellow]"
-                )
+
+        # Show verbose failure details if requested
+        if not success and getattr(options, "verbose", False):
+            self._show_verbose_failure_details(testing_passed, comprehensive_passed)
 
         if options.ai_agent and self._should_debug():
             self.debugger.log_iteration_end(iteration, success)
@@ -995,6 +1055,276 @@ class WorkflowPipeline:
             self.debugger.log_test_failures(test_count)
             self.debugger.log_hook_failures(hook_count)
 
+    def _check_security_gates_for_publishing(
+        self, options: OptionsProtocol
+    ) -> tuple[bool, bool]:
+        """Check if publishing is requested and if security gates block it.
+
+        Returns:
+            tuple[bool, bool]: (publishing_requested, security_blocks_publishing)
+        """
+        publishing_requested = bool(options.publish or options.all or options.commit)
+
+        if not publishing_requested:
+            return False, False
+
+        # Check security gates for publishing operations
+        try:
+            security_blocks_publishing = self._check_security_critical_failures()
+            return publishing_requested, security_blocks_publishing
+        except Exception as e:
+            # Fail securely if security check fails
+            self.logger.warning(f"Security check failed: {e} - blocking publishing")
+            self.console.print(
+                "[red]🔒 SECURITY CHECK FAILED: Unable to verify security status - publishing BLOCKED[/red]"
+            )
+            # Return True for security_blocks to fail securely
+            return publishing_requested, True
+
+    async def _handle_security_gate_failure(
+        self, options: OptionsProtocol, allow_ai_fixing: bool = False
+    ) -> bool:
+        """Handle security gate failures with optional AI fixing.
+
+        Args:
+            options: Workflow options
+            allow_ai_fixing: Whether AI fixing is allowed for security issues
+
+        Returns:
+            bool: True if security issues resolved, False if still blocked
+        """
+        self.console.print(
+            "[red]🔒 SECURITY GATE: Critical security checks failed[/red]"
+        )
+
+        if allow_ai_fixing:
+            self.console.print(
+                "[red]Security-critical hooks (bandit, pyright, gitleaks) must pass before publishing[/red]"
+            )
+            self.console.print(
+                "[yellow]🤖 Attempting AI-assisted security issue resolution...[/yellow]"
+            )
+
+            # Try AI fixing for security issues
+            ai_fix_success = await self._run_ai_agent_fixing_phase(options)
+            if ai_fix_success:
+                # Re-check security after AI fixing
+                try:
+                    security_still_blocks = self._check_security_critical_failures()
+                    if not security_still_blocks:
+                        self.console.print(
+                            "[green]✅ AI agents resolved security issues - publishing allowed[/green]"
+                        )
+                        return True
+                    else:
+                        self.console.print(
+                            "[red]🔒 Security issues persist after AI fixing - publishing still BLOCKED[/red]"
+                        )
+                        return False
+                except Exception as e:
+                    self.logger.warning(
+                        f"Security re-check failed: {e} - blocking publishing"
+                    )
+                    return False
+            return False
+        else:
+            # Standard workflow cannot bypass security gates
+            self.console.print(
+                "[red]Security-critical hooks (bandit, pyright, gitleaks) must pass before publishing[/red]"
+            )
+            return False
+
+    def _determine_ai_fixing_needed(
+        self,
+        testing_passed: bool,
+        comprehensive_passed: bool,
+        publishing_requested: bool,
+    ) -> bool:
+        """Determine if AI fixing is needed based on test results and publishing requirements."""
+        if publishing_requested:
+            # For publish/commit workflows, only trigger AI fixing if both fail
+            return not testing_passed and not comprehensive_passed
+        else:
+            # For regular workflows, trigger AI fixing if either fails
+            return not testing_passed or not comprehensive_passed
+
+    def _determine_workflow_success(
+        self,
+        testing_passed: bool,
+        comprehensive_passed: bool,
+        publishing_requested: bool,
+        workflow_type: str,
+    ) -> bool:
+        """Determine workflow success based on test results and workflow type."""
+        if publishing_requested:
+            # For publishing workflows, either test or comprehensive passing is sufficient
+            return testing_passed or comprehensive_passed
+        else:
+            # For regular workflows, both must pass
+            return testing_passed and comprehensive_passed
+
+    def _show_verbose_failure_details(
+        self, testing_passed: bool, comprehensive_passed: bool
+    ) -> None:
+        """Show detailed failure information in verbose mode."""
+        self.console.print(
+            f"[yellow]⚠️ Quality phase results - testing_passed: {testing_passed}, comprehensive_passed: {comprehensive_passed}[/yellow]"
+        )
+        if not testing_passed:
+            self.console.print("[yellow] → Tests reported failure[/yellow]")
+        if not comprehensive_passed:
+            self.console.print(
+                "[yellow] → Comprehensive hooks reported failure[/yellow]"
+            )
+
+    def _check_security_critical_failures(self) -> bool:
+        """Check if any security-critical hooks have failed.
+
+        Returns:
+            True if security-critical hooks failed and block publishing
+        """
+        try:
+            from crackerjack.security.audit import SecurityAuditor
+
+            auditor = SecurityAuditor()
+
+            # Get hook results - we need to be careful not to re-run hooks
+            # Instead, check the session tracker for recent failures
+            fast_results = self._get_recent_fast_hook_results()
+            comprehensive_results = self._get_recent_comprehensive_hook_results()
+
+            # Generate security audit report
+            audit_report = auditor.audit_hook_results(
+                fast_results, comprehensive_results
+            )
+
+            # Store audit report for later use
+            self._last_security_audit = audit_report
+
+            # Block publishing if critical failures exist
+            return audit_report.has_critical_failures
+
+        except Exception as e:
+            # Fail securely - if we can't determine security status, block publishing
+            self.logger.warning(f"Security audit failed: {e} - failing securely")
+            # Re-raise the exception so it can be caught by the calling method
+            raise
+
+    def _get_recent_fast_hook_results(self) -> list[t.Any]:
+        """Get recent fast hook results from session tracker."""
+        results = []
+
+        # Try to get results from session tracker
+        if hasattr(self.session, "session_tracker") and self.session.session_tracker:
+            for task_id, task_data in self.session.session_tracker.tasks.items():
+                if task_id == "fast_hooks" and hasattr(task_data, "hook_results"):
+                    results.extend(task_data.hook_results)
+
+        # If no results from session, create mock failed results for critical hooks
+        # This ensures we fail securely when we can't determine actual status
+        if not results:
+            critical_fast_hooks = ["gitleaks"]
+            for hook_name in critical_fast_hooks:
+                # Create a mock result that appears to have failed
+                # This will trigger security blocking if we can't determine actual status
+                mock_result = type(
+                    "MockResult",
+                    (),
+                    {
+                        "name": hook_name,
+                        "status": "unknown",  # Unknown status = fail securely
+                        "output": "Unable to determine hook status",
+                    },
+                )()
+                results.append(mock_result)
+
+        return results
+
+    def _get_recent_comprehensive_hook_results(self) -> list[t.Any]:
+        """Get recent comprehensive hook results from session tracker."""
+        results = []
+
+        # Try to get results from session tracker
+        if hasattr(self.session, "session_tracker") and self.session.session_tracker:
+            for task_id, task_data in self.session.session_tracker.tasks.items():
+                if task_id == "comprehensive_hooks" and hasattr(
+                    task_data, "hook_results"
+                ):
+                    results.extend(task_data.hook_results)
+
+        # If no results from session, create mock failed results for critical hooks
+        if not results:
+            critical_comprehensive_hooks = ["bandit", "pyright"]
+            for hook_name in critical_comprehensive_hooks:
+                mock_result = type(
+                    "MockResult",
+                    (),
+                    {
+                        "name": hook_name,
+                        "status": "unknown",  # Unknown status = fail securely
+                        "output": "Unable to determine hook status",
+                    },
+                )()
+                results.append(mock_result)
+
+        return results
+
+    def _is_security_critical_failure(self, result: t.Any) -> bool:
+        """Check if a hook result represents a security-critical failure."""
+
+        # List of security-critical hook names (fail-safe approach)
+        security_critical_hooks = {
+            "bandit",  # Security vulnerability scanning
+            "pyright",  # Type safety prevents security holes
+            "gitleaks",  # Secret detection
+        }
+
+        hook_name = getattr(result, "name", "").lower()
+        is_failed = getattr(result, "status", "unknown") in (
+            "failed",
+            "error",
+            "timeout",
+        )
+
+        return hook_name in security_critical_hooks and is_failed
+
+    def _show_security_audit_warning(self) -> None:
+        """Show security audit warning when proceeding with partial success."""
+        # Use stored audit report if available
+        audit_report = getattr(self, "_last_security_audit", None)
+
+        if audit_report:
+            self.console.print(
+                "[yellow]⚠️ SECURITY AUDIT: Proceeding with partial quality success[/yellow]"
+            )
+
+            # Show security status
+            for warning in audit_report.security_warnings:
+                if "CRITICAL" in warning:
+                    # This shouldn't happen if we're showing warnings, but fail-safe
+                    self.console.print(f"[red]{warning}[/red]")
+                elif "HIGH" in warning:
+                    self.console.print(f"[yellow]{warning}[/yellow]")
+                else:
+                    self.console.print(f"[blue]{warning}[/blue]")
+
+            # Show recommendations
+            if audit_report.recommendations:
+                self.console.print("[bold]Security Recommendations:[/bold]")
+                for rec in audit_report.recommendations[:3]:  # Show top 3
+                    self.console.print(f"[dim]{rec}[/dim]")
+        else:
+            # Fallback if no audit report available
+            self.console.print(
+                "[yellow]⚠️ SECURITY AUDIT: Proceeding with partial quality success[/yellow]"
+            )
+            self.console.print(
+                "[yellow]✅ Security-critical checks (bandit, pyright, gitleaks) have passed[/yellow]"
+            )
+            self.console.print(
+                "[yellow]⚠️ Some non-critical quality checks failed - consider reviewing before production deployment[/yellow]"
+            )
+
 
 class WorkflowOrchestrator:
     def __init__(
@@ -1063,8 +1393,8 @@ class WorkflowOrchestrator:
         session_id = getattr(self, "web_job_id", None) or str(int(time.time()))[:8]
         debug_log_file = log_manager.create_debug_log_file(session_id)
 
-        # Set log level based on verbosity - DEBUG only in verbose or debug mode
-        log_level = "DEBUG" if (self.verbose or self.debug) else "INFO"
+        # Set log level based on debug flag only - verbose should not enable DEBUG logs
+        log_level = "DEBUG" if self.debug else "INFO"
         setup_structured_logging(
             level=log_level, json_output=False, log_file=debug_log_file
         )

crackerjack/dynamic_config.py

@@ -5,30 +5,6 @@ from pathlib import Path
 import jinja2
 
 
-def _get_project_root() -> Path:
-    """Get the absolute path to the crackerjack project root."""
-    # Start from this file and go up to find the real project root
-    current_path = Path(__file__).resolve()
-    for parent in current_path.parents:
-        if (parent / "pyproject.toml").exists() and (parent / "tools").exists():
-            # Verify it's the crackerjack project by checking for unique markers and tools dir
-            try:
-                pyproject_content = (parent / "pyproject.toml").read_text()
-                if (
-                    'name = "crackerjack"' in pyproject_content
-                    and (
-                        parent / "tools" / "validate_regex_patterns_standalone.py"
-                    ).exists()
-                ):
-                    return parent
-            except Exception:
-                # If we can't read the file, continue searching
-                continue
-
-    # Fallback to the parent of the crackerjack package directory
-    return Path(__file__).resolve().parent.parent
-
-
 class HookMetadata(t.TypedDict):
     id: str
     name: str | None
@@ -70,7 +46,7 @@ HOOKS_REGISTRY: dict[str, list[HookMetadata]] = {
             "additional_dependencies": None,
             "types_or": None,
             "language": "system",
-            "entry": f"uv run python {_get_project_root() / 'tools' / 'validate_regex_patterns_standalone.py'}",
+            "entry": "uv run python -m crackerjack.tools.validate_regex_patterns",
             "experimental": False,
         },
         {

crackerjack/managers/test_command_builder.py

@@ -23,17 +23,21 @@ class TestCommandBuilder:
         if hasattr(options, "test_workers") and options.test_workers:
             return options.test_workers
 
-        import multiprocessing
-
-        cpu_count = multiprocessing.cpu_count()
-
-        if cpu_count <= 2:
-            return 1
-        elif cpu_count <= 4:
-            return 2
-        elif cpu_count <= 8:
-            return 3
-        return 4
+        # Temporarily disable multi-worker execution due to pytest-xdist
+        # hanging issues with async tests. See GitHub issue for details.
+        # TODO: Re-enable after fixing async test timeout issues
+        return 1
+
+        # Original multi-worker logic (commented out):
+        # import multiprocessing
+        # cpu_count = multiprocessing.cpu_count()
+        # if cpu_count <= 2:
+        #     return 1
+        # elif cpu_count <= 4:
+        #     return 2
+        # elif cpu_count <= 8:
+        #     return 3
+        # return 4
 
     def get_test_timeout(self, options: OptionsProtocol) -> int:
         if hasattr(options, "test_timeout") and options.test_timeout:

crackerjack/mcp/tools/execution_tools.py

@@ -29,6 +29,14 @@ def _register_execute_crackerjack_tool(mcp_app: t.Any) -> None:
 
         extra_kwargs = kwargs_result["kwargs"]
 
+        # Add extended timeout for long-running operations
+        if "execution_timeout" not in extra_kwargs:
+            # Default to 15 minutes, extend to 20 minutes for test operations
+            if extra_kwargs.get("test", False) or extra_kwargs.get("testing", False):
+                extra_kwargs["execution_timeout"] = 1200  # 20 minutes for tests
+            else:
+                extra_kwargs["execution_timeout"] = 900  # 15 minutes default
+
         try:
             result = await execute_crackerjack_workflow(args, extra_kwargs)
             return json.dumps(result, indent=2)